Why the Threat Level to SCADA and Industrial Control Networks is Increasing

In the past, the main reason for securing a SCADA/ICS network was to protect against inadvertent network incidents or attacks from insiders. The risk of an external malicious cyber-attack was considered minimal.

And then we witnessed the rise of global terrorism in the new millennium - and the disclosure of Stuxnet.

In 2010, Stuxnet was successfully introduced into an apparently ‘air-gapped’ facility with the intent to destroy an industrial process. As I discussed in myblogs on Stuxnet, the worm used multiple methods to infiltrate the target site, the most famous of which was the use of a USB key. Its discovery had multiple effects:

2. New advanced persistent threats targeting industry began to emerge.

Stuxnet wasn’t the first advanced persistent threat (APT), but it was the first to focus on industry. As well, it was so well dissected by security experts that it became an “APTs for Dummies” cookbook on how to write attacks that target industrial companies.

Most recent APTs have focused on industrial espionage to steal business information from the energy industry, but others like Shamoon (which was not all that ’advanced’ or ‘persistent’) have been successful at destroying large computer systems. Expect to see lots more APTs being discovered in the next few years. And if we don’t see more, it is likely due to the fact that we haven’t found them yet, not that they don’t exist. After all, industrial-focused APTs are clearly effective for their creators, so why would they stop creating them now?

3. Low-grade cyber “warfare” goes mainstream.

Stuxnet has been widely attributed to a joint U.S./Israeli project to destroy Iran’s uranium enrichment program. Its existence has given tacit approval to other nations and political groups to use cyber-attacks as a form of undeclared warfare. Most recently, we have seen large scale attacks on South Korea that have been attributed to North Korea.

My advice? If you have critical industrial facilities in any politically sensitive region (such as the U.S., the Middle East or the Far East), now is the time to renew your cyber security efforts.

While the threat has increased significantly, the opportunity to connect to a SCADA or ICS system has too. In the good old days, industrial networks ran on proprietary networks, used proprietary equipment, and were isolated from business networks and the internet. This was the era of both ‘security by obscurity’ and ‘security by air gap’ (if you are a regular reader of my blog, you’ll know my views on the air gap theory!).

But over the last decade, things have changed. Industrial networks have migrated from proprietary systems to commercial off-the-shelf technology like Ethernet, TCP/IP and Windows. What’s more, today’s industrial systems require a constant stream of updates from the outside world. There’s no denying it – the industrial floor is no longer isolated.

It’s also true that devices such as programmable logic controllers (PLCs) and distributed control systems (DCS) were designed with a focus on reliability and safety, rather than security. This makes many of them, particularly older units, easy to exploit. And the protocols that SCADA and ICS use to communicate are no different – designed to be reliable and easy to troubleshoot, most protocols lack even the most basic security features like authentication. As the Tofino test team likes to say, “If you can ping it, you can own it”.

The Perfect Storm for the Attacker

Today it is clearly a game with the advantage going to the attacker – millions of decades-old systems that were never designed to be secure, increasing connectivity of SCADA and ICS, and a growing library of free tools and techniques to attack SCADA and ICS.

It’s evident then that there’s no simple solution to securing our critical infrastructure. The process is going to take a lot of time and effort - and very careful planning. But regardless of the pain points involved, investing in industrial network security is not only responsible, it’s necessary for any mission critical application.

If our heads of state are taking this issue seriously then so should industry.

I’d love to hear your views on this topic. Do you think we are taking the subject of industrial cyber security seriously enough? Have we made any progress?

The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.